mystic | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe
Size

1.0MB
MD5

8219c91ff157d34ad13e9eaaca1ff3d0
SHA1

1ef89eb62e086d504b80795557ac9e42686a9d28
SHA256

f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f
SHA512

d01862cedd90ade8eb621e73e2bbc1eeb7a937b0c7f7d288422f32a83afcf8ba832b6554aefb8aee40d43597cd8721750c470e1d59926f7bb03d7539a416caf1
SSDEEP

24576:Cy6yVCA/5fXKw6PEZ9jSvWMLsfUAUgcsbb/ZYGtrSmzFgiHa:p6yfBfXKVPEfSv22Ps+s7z2i

Score

10^/10

mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral28/memory/4540-25-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral28/memory/4540-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral28/memory/4540-26-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral28/memory/5092-37-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 6 IoCs

Processes:

QO4vb69.exeyo2bo38.exe1cd54Dh6.exe2OK3253.exe3uO25Af.exe4RH916LN.exe

pid process

2756 QO4vb69.exe
1260 yo2bo38.exe
3376 1cd54Dh6.exe
4760 2OK3253.exe
1944 3uO25Af.exe
2464 4RH916LN.exe

pid	process
2756	QO4vb69.exe
1260	yo2bo38.exe
3376	1cd54Dh6.exe
4760	2OK3253.exe
1944	3uO25Af.exe
2464	4RH916LN.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exeQO4vb69.exeyo2bo38.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	QO4vb69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yo2bo38.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1cd54Dh6.exe2OK3253.exe4RH916LN.exe

description	pid	process	target process
PID 3376 set thread context of 4840	3376	1cd54Dh6.exe	AppLaunch.exe
PID 4760 set thread context of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 2464 set thread context of 5092	2464	4RH916LN.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3uO25Af.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uO25Af.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uO25Af.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uO25Af.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

4840 AppLaunch.exe
4840 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 4840 AppLaunch.exe

pid	process
4840	AppLaunch.exe
4840	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4840	AppLaunch.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exeQO4vb69.exeyo2bo38.exe1cd54Dh6.exe2OK3253.exe4RH916LN.exe

description	pid	process	target process
PID 2648 wrote to memory of 2756	2648	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	QO4vb69.exe
PID 2648 wrote to memory of 2756	2648	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	QO4vb69.exe
PID 2648 wrote to memory of 2756	2648	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	QO4vb69.exe
PID 2756 wrote to memory of 1260	2756	QO4vb69.exe	yo2bo38.exe
PID 2756 wrote to memory of 1260	2756	QO4vb69.exe	yo2bo38.exe
PID 2756 wrote to memory of 1260	2756	QO4vb69.exe	yo2bo38.exe
PID 1260 wrote to memory of 3376	1260	yo2bo38.exe	1cd54Dh6.exe
PID 1260 wrote to memory of 3376	1260	yo2bo38.exe	1cd54Dh6.exe
PID 1260 wrote to memory of 3376	1260	yo2bo38.exe	1cd54Dh6.exe
PID 3376 wrote to memory of 2592	3376	1cd54Dh6.exe	AppLaunch.exe
PID 3376 wrote to memory of 2592	3376	1cd54Dh6.exe	AppLaunch.exe
PID 3376 wrote to memory of 2592	3376	1cd54Dh6.exe	AppLaunch.exe
PID 3376 wrote to memory of 4840	3376	1cd54Dh6.exe	AppLaunch.exe
PID 3376 wrote to memory of 4840	3376	1cd54Dh6.exe	AppLaunch.exe
PID 3376 wrote to memory of 4840	3376	1cd54Dh6.exe	AppLaunch.exe
PID 3376 wrote to memory of 4840	3376	1cd54Dh6.exe	AppLaunch.exe
PID 3376 wrote to memory of 4840	3376	1cd54Dh6.exe	AppLaunch.exe
PID 3376 wrote to memory of 4840	3376	1cd54Dh6.exe	AppLaunch.exe
PID 3376 wrote to memory of 4840	3376	1cd54Dh6.exe	AppLaunch.exe
PID 3376 wrote to memory of 4840	3376	1cd54Dh6.exe	AppLaunch.exe
PID 1260 wrote to memory of 4760	1260	yo2bo38.exe	2OK3253.exe
PID 1260 wrote to memory of 4760	1260	yo2bo38.exe	2OK3253.exe
PID 1260 wrote to memory of 4760	1260	yo2bo38.exe	2OK3253.exe
PID 4760 wrote to memory of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 4760 wrote to memory of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 4760 wrote to memory of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 4760 wrote to memory of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 4760 wrote to memory of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 4760 wrote to memory of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 4760 wrote to memory of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 4760 wrote to memory of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 4760 wrote to memory of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 4760 wrote to memory of 4540	4760	2OK3253.exe	AppLaunch.exe
PID 2756 wrote to memory of 1944	2756	QO4vb69.exe	3uO25Af.exe
PID 2756 wrote to memory of 1944	2756	QO4vb69.exe	3uO25Af.exe
PID 2756 wrote to memory of 1944	2756	QO4vb69.exe	3uO25Af.exe
PID 2648 wrote to memory of 2464	2648	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	4RH916LN.exe
PID 2648 wrote to memory of 2464	2648	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	4RH916LN.exe
PID 2648 wrote to memory of 2464	2648	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	4RH916LN.exe
PID 2464 wrote to memory of 5092	2464	4RH916LN.exe	AppLaunch.exe
PID 2464 wrote to memory of 5092	2464	4RH916LN.exe	AppLaunch.exe
PID 2464 wrote to memory of 5092	2464	4RH916LN.exe	AppLaunch.exe
PID 2464 wrote to memory of 5092	2464	4RH916LN.exe	AppLaunch.exe
PID 2464 wrote to memory of 5092	2464	4RH916LN.exe	AppLaunch.exe
PID 2464 wrote to memory of 5092	2464	4RH916LN.exe	AppLaunch.exe
PID 2464 wrote to memory of 5092	2464	4RH916LN.exe	AppLaunch.exe
PID 2464 wrote to memory of 5092	2464	4RH916LN.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe
"C:\Users\Admin\AppData\Local\Temp\f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QO4vb69.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QO4vb69.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo2bo38.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo2bo38.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cd54Dh6.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cd54Dh6.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OK3253.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OK3253.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3uO25Af.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3uO25Af.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4RH916LN.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4RH916LN.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4RH916LN.exe
Filesize
1.1MB

MD5
285fa61da44042a76502bdaf177bfdc3

SHA1
633c6a7d280526ce15fc4b3cc592d23b3f0b9369

SHA256
518d5eb779e2a1b222e4c73ddee1d1fc11f084b7e4a86c89cd5c7527588440c0

SHA512
0e5104787d42c631f406bd0f8f1a514ea20deb3b82fa3ba17c53e18b7bdfaa873085eb71ea4154ba0e42d6bab974e2671b5befc63d8bbb56a511b0d9900350e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QO4vb69.exe
Filesize
649KB

MD5
b026152757756ac3658155420556791e

SHA1
ab377b5c0fba225ce59f5167b4a9afc1425f2ab5

SHA256
2b692d9f64d5f9addafddb0daac9e57132a2d0a1374eaabe3c4190055f569092

SHA512
6ccab4c67b217accc645ff3065f2dc6b004c9d0b8dbe251e54ececf21c99d20341605afdf2c3dfaacb77ac3a30624dc8247829419f7d3229a1cf508f6998371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3uO25Af.exe
Filesize
31KB

MD5
1b1ed2b600574a71547a0083548c700f

SHA1
ff3db11401b1c4d5b5cae6a324ca389e5f8b4759

SHA256
1e3a92e82f55f3b4b64751d07f43cf680b1581d6378a582fc58661a46c0aa1ac

SHA512
ab83ae4f1a85887c252dd488725c7b7acc4b57d380963ade7706fcf09ed17081b44fece8670ab33ef1d27fb895effcbea90da57a2ee13f9a7dd4b483f037f4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo2bo38.exe
Filesize
524KB

MD5
ee03c76fafa1cb23016c46da39946c86

SHA1
1e05b2852217613d068e1020935675f3b2accbc9

SHA256
f2817b700b78788fba27a54934f8a1b51bf26cb256f9394ce7cd4a7ce3b81bf0

SHA512
c7c5254d1b01714c5582b1239cd0a2ab4cfd5fe01915a807f341f92515d108b8891b35e0eaaf368853327a3e842b7ebbe147c9c1a7034e803855c18db826d568

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cd54Dh6.exe
Filesize
869KB

MD5
aa0738466cdc5ed137b0d11b7dba6c2c

SHA1
1de62c97e5c6d871febd5e5d1a14acbacca0535d

SHA256
0d48ce616f40f1e405cfabc0ad7f363b7e950a7085b5e81520ba25d8e81530c5

SHA512
349d0c13ef9fb7eadaf63f5bb09e8956745506d4badfd731ae81c4ced4cbfc6f7ec2c504b42eb4c131b6926eb2d6279bcfd96e4cfb01a7d51c86db97de052784

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OK3253.exe
Filesize
1.0MB

MD5
37bc46e7c2dccba4f672787f18871529

SHA1
7e17d2ccc3bf3fea74ba523bb63b763200c41ebe

SHA256
0c012cf84f2a566233834482aee726755afe7f058afb09fd87f9c8b9390c7e1d

SHA512
56dfe64e3e684552eeeebeaeb7185cfa076bb5b570fdc5fdf0970a1930226f207190403393d1e3137beb1f92cdc89534c9be80fe55b25523c0968545ca50e230

Download Submit
memory/1944-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1944-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4540-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5092-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5092-38-0x0000000007900000-0x0000000007EA4000-memory.dmp

Filesize
5.6MB

Download
memory/5092-39-0x00000000073F0000-0x0000000007482000-memory.dmp

Filesize
584KB

Download
memory/5092-40-0x0000000004910000-0x000000000491A000-memory.dmp

Filesize
40KB

Download
memory/5092-41-0x00000000084D0000-0x0000000008AE8000-memory.dmp

Filesize
6.1MB

Download
memory/5092-42-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

Filesize
1.0MB

Download
memory/5092-43-0x00000000075A0000-0x00000000075B2000-memory.dmp

Filesize
72KB

Download
memory/5092-44-0x0000000007600000-0x000000000763C000-memory.dmp

Filesize
240KB

Download
memory/5092-45-0x0000000007790000-0x00000000077DC000-memory.dmp

Filesize
304KB

Download